The Health Insurance Portability and Accountability Act (HIPAA) is ever evolving. Its purpose is to protect patient health information (PHI) from being disclosed without the patient’s consent or knowledge. It also sets national standards for electronic healthcare transactions and outlines guidelines for keeping healthcare data secure. The last big update to HIPAA regulations was over a decade ago via the Omnibus Final Rule, but the healthcare landscape has changed a lot since then.
In recent years DHS has been asking Congress for more funding to investigate alleged violations of HIPAA, so understanding and complying is as critical as ever. Potential fines range from $100 per violation to $1.5 million, and some infractions can lead to imprisonment. But, aside from the penalties, recent updates also may affect how you manage patient data, interact with technology, and communicate with other healthcare entities. A lack of awareness is no defense against avoidable HIPAA violations.
The best place to keep up on the latest changes is the HIPAA Newsroom. However, a summary of the latest changes, as they pertain to chiropractic, follows:
Advertisement
Reproductive Healthcare Privacy
HIPAA regulations around reproductive healthcare have tightened (see this HHS Fact Sheet for more). As of April 2024, new rules protect patients seeking reproductive healthcare, such as contraception, miscarriage management, and fertility treatments. Covered entities (CEs) and business associates may not use or disclose PHI to conduct a legal investigation where the reproductive services are lawful in the state where the care was provided, nor can they be used to identify anyone in the course of an investigation.
When an investigator requests that a covered entity or business entity disclose reproductive PHI, as of Dec. 23, 2024, the covered entity or business associate must obtain from the investigator a signed attestation that the PHI will not be used for a prohibited purpose (as listed on the form). The Department of Health and Human Services (HHS) has provided a model form here: https://www.hhs.gov/sites/default/files/model-attestation.pdf
HIPAA policy and procedure manuals should be updated to address this information. Chiropractors and other healthcare providers are also required to modify their Notice of Privacy Practices (NPP) to address reproductive healthcare privacy. The deadline for updating the NPP is February 16, 2026. Here is a sample statement that could be added:
“We are committed to protecting the privacy of your reproductive protected health information (PHI) and will not disclose it when requested for the purpose of investigating or penalizing individuals seeking, obtaining, or providing lawful reproductive healthcare. If disclosure is requested, we will require a signed attestation confirming it is not for such prohibited purposes. Your reproductive healthcare decisions are private, and we will take all necessary steps to protect that confidentiality.”
Substance Use Disorder (SUD) Regulations
A Final Rule published in February of 2024 made changes to how HIPAA rules apply to substance use disorder records (see this HHS Fact Sheet for more). These records now require a separate consent for disclosure, and patients have expanded rights to access these records. Policy and procedure manuals and the Notice of Privacy Practices need to include information about this consent and these rights. For a chiropractic physician, this also means that SUD information is likely to be redacted from shared records. Again, the deadline for updating the NPP is February 16, 2026, but here is some suggested verbiage:
“We will not disclose any substance use disorder related records without your written consent, except as permitted by law, including, for example (but without limitation), a court order or a medical emergency. You have rights regarding these records, including access, confidentiality requests, and an accounting of disclosures.”
Proposed Privacy Rule Changes
The Office for Civil Rights (OCR) proposed some changes in December 2020 that are likely to go into effect in the near future. At the time of this article, they are not finalized; however, it is wise to be prepared. These changes include:
- Allowing patients to photograph their Protected Health Information (PHI) in person.
- Reducing the time to respond and provide access to PHI from 30 to 15 days, increasing the administrative burden on providers.
- Revising the definition of electronic health records (EHR) to include billing records, meaning these also would need to be made available to patients when records are requested.
- Prohibiting covered entities from imposing unreasonable measures on individuals exercising their right of access, such as complicated identity verification requirements.
- Informing patients of the risks associated with sharing their records with a personal health application of their choice.
Cybersecurity Goals
The Security Rule has largely remained unchanged since 2013. A December 2023 Security Rule Concept Paper outlines cybersecurity performance goals that are currently voluntary, but will likely become mandatory. For smaller practices, implementing these security goals may require assistance. Fortunately, there are discussions about offering financial support to low-resourced healthcare providers to help them meet cybersecurity standards without overwhelming financial burdens. Chiropractic practices should keep this in their sites and look into these additional resources in the next year or two.
Third-party Website Tracking
Data encryption is an important element of the HIPAA Security Rule. HHS has beefed up requirements for encryption related to healthcare websites that use third-party tracking tools like cookies and pixels to analyze visitor behavior. As a healthcare provider, it is required to make sure that these risks have been considered, as they relate to this type of tracking. The HIPAA policy and procedure manual should address how the clinic will minimize those risks. One such policy should be including information about this data when gaining patient consent.
Patient Access APIs
A healthcare industry trend of which chiropractic offices should be aware of is the “CMS Interoperability and Patient Access” final rule, which requires some entities to create a Patient Access Application Programming Interface (API) so that patients can access their health data through a third-party application. In other words, offices should be planning ahead when looking for software and other tools with this capability when making improvements. Note that the mandated standard for this type of data exchange is referred to as FHIR (Fast Healthcare Interoperability Resources).
Implications for Chiropractic Offices
Chiropractors, like all covered entities, must ensure compliance with both the HIPAA Privacy and Security Rules. But HIPAA is no longer just about protecting patient privacy and security; it’s also about ensuring patient access to health data in a secure and efficient manner. For instance, allowing access to personal health apps via APIs while preventing unauthorized use or disclosure of PHI is now a vital consideration.
To avoid compliance risks in 2024 and beyond, chiropractic offices should:
- Revise HIPAA policy and procedure manuals to include the relevant information from this article.
- Review and update Notice of Privacy Practices to reflect new requirements, especially related to reproductive health and substance use disorders.
- Implement or enhance cybersecurity measures in line with the upcoming performance goals.
- Ensure patient access to their health data via secure apps, in compliance with new interoperability rules.
- Prepare for increased investigations and penalties for non-compliance, especially if your office processes ePHI.
In conclusion, chiropractors need to be proactive in navigating these regulatory changes. Whether your practice is solo or part of a larger healthcare network, understanding the impact of these new regulations—and planning ahead—will be essential in 2025.
Dr. Evan Gwilliam is a Certified Professional Compliance Officer, among other things, and the Vice President of Practisync, which partners with your state association to offer special rates on third party billing. If you have questions about this article or Practisync, you can contact Dr. Gwilliam at evan.gwilliam@practisync.com.
